MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee3e1ff02ef8c163c2472764b0f380528809ab305de242bd049c0f99c8ffdddd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee3e1ff02ef8c163c2472764b0f380528809ab305de242bd049c0f99c8ffdddd
SHA3-384 hash: f0135bcba290db054ff36245ce0b11ce28694665382eae63f3751a0acb1bc62d0bcbb78a78995e7f73023ac022595ad5
SHA1 hash: 72e1f0a1f136f8828c796bddbcf413b6d5634a20
MD5 hash: c321a571045f4bfa9dd8a51e78c1a27d
humanhash: football-grey-harry-echo
File name:c321a571045f4bfa9dd8a51e78c1a27d.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:529'502 bytes
First seen:2021-06-02 11:10:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 64 x GuLoader, 54 x Loki)
ssdeep 12288:ektoshDWmIVtJtEUwCg9gqdlPVWiHKTmKN:e0JhDnIVtJtuC7wldWVmu
Threatray 748 similar samples on MalwareBazaar
TLSH 99B423153180E5B1EAB717B60BF85061DFEBA12625D86B4723C48B98B74F0D1E48B3F6
Reporter abuse_ch
Tags:exe RAT RemcosRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c321a571045f4bfa9dd8a51e78c1a27d.exe
Verdict:
Malicious activity
Analysis date:
2021-06-02 11:13:17 UTC
Tags:
rat remcos keylogger stealer
Link:
https://app.any.run/tasks/050b21c3-326c-412e-bc04-a2de3cf1f79e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164008/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.15528.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/795866
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 428273 Sample: PcdEZG6zDS.exe Startdate: 02/06/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 7 other signatures 2->48 7 PcdEZG6zDS.exe 18 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 32 C:\Users\user\AppData\...32mptwbQuMq.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\...\giagbakrxo.dll, PE32 7->34 dropped 36 C:\Users\...36mptwbQuMq.exe:Zone.Identifier, ASCII 7->36 dropped 52 Writes to foreign memory regions 7->52 54 Allocates memory in foreign processes 7->54 56 Injects a PE file into a foreign processes 7->56 13 dllhost.exe 2 3 7->13         started        17 NmptwbQuMq.exe 12 11->17         started        signatures5 process6 dnsIp7 40 185.19.85.137, 10029, 49721, 49723 DATAWIRE-ASCH Switzerland 13->40 58 Tries to steal Mail credentials (via file registry) 13->58 60 Contains functionalty to change the wallpaper 13->60 62 Contains functionality to steal Chrome passwords or cookies 13->62 72 5 other signatures 13->72 20 dllhost.exe 13 13->20         started        24 dllhost.exe 1 13->24         started        26 dllhost.exe 1 13->26         started        30 C:\Users\user\AppData\...\giagbakrxo.dll, PE32 17->30 dropped 64 Multi AV Scanner detection for dropped file 17->64 66 Machine Learning detection for dropped file 17->66 68 Writes to foreign memory regions 17->68 70 Allocates memory in foreign processes 17->70 28 dllhost.exe 17->28         started        file8 signatures9 process10 dnsIp11 38 192.168.2.1 unknown unknown 20->38 50 Tries to harvest and steal browser information (history, passwords, etc) 20->50 signatures12
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ee3e1ff02ef8c163c2472764b0f380528809ab305de242bd049c0f99c8ffdddd/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 20:42:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
29 of 47 (61.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5y7b74bo7dawhqshe5slb44akkeatkzqlxrefpietqhztsh73xoq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
134427c58b0e1acd504b9f8980bfa29a808a27216adb1999e8dbc4a3fe2b0031
RemcosRAT
3d263b6e2cdc6e43060faf06203a211ed5f716238157fc36f3f0d5b21777c0ac
RemcosRAT
46131c5f93779a7547011c983be113cbf561fee1f4cba59ce8dd8f0bfb4a48f7
RemcosRAT
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
RemcosRAT
912f4c7877aa8c2990a743175b96e6d3c0564cd14f752554f18677d94b2df0cc
RemcosRAT
995f29caf80a4902430611c45e0619adbcd60e3a9f283a562fce6bd7baebc075
RemcosRAT
a465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200
RemcosRAT
b1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560
RemcosRAT
b782581b1ca3da09fdf3ecbb173ee3ca1f313f5f325f407df976601cad8ce839
RemcosRAT
ba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914
RemcosRAT
+ 738 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos rat
Link:
https://tria.ge/reports/210602-pyqk51yemn/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Remcos
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.19.85.137:10029
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee3e1ff02ef8c163c2472764b0f380528809ab305de242bd049c0f99c8ffdddd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe ee3e1ff02ef8c163c2472764b0f380528809ab305de242bd049c0f99c8ffdddd

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/164008/
  
URLhaus
https://urlhaus.abuse.ch/url/1310826/
  
Delivery method
Distributed via web download

Comments